Aug 16, 2015

The Github Attack, part 1: Making international cyberlaw the ugly way

Over the past few years, the US government has invested heavily in trying to create international norms for cyberspace. We’ve endlessly cajoled other nations to agree on broad principles about internet freedom and how the law of war applies to cyberconflicts. Progress has been slow, especially with countries that might actually face us in a cyberwar.

But the bigger problem with the US effort is simple: Real international law is not made by talking. It’s made by doing.

“If you want to know the law … you must look at it as a bad man,” Oliver Wendell Holmes Jr. once observed. A bad man only cares whether he’ll be punished or not. If you tell him that an act is immoral but won’t be punished, Holmes argued, you’re telling him that it’s lawful.

When it comes to international law, Holmes nailed it. In dealings between nations, norms are established by what governments do. If countries punish a novel attack effectively, that builds an international norm against the attack. And if they tolerate the attack without retaliating, they are creating an international norm that permits it.

When it comes to setting new norms through inaction, though, the most troubling incident is China’s denial of service attack on GitHub. Like lots of US tech successes, GitHub didn’t exist ten years ago, but it is now valued at more than $2 billion. Its value comes from creating a collaborative environment where software can be edited by dozens or hundreds of people around the world. Making information freely available is the core of its business.

So when the Chinese government decided to block access to the New York Times, the paper provided access to Chinese readers via GitHub. China then tried to block GitHub, as it had the Times.

But the Chinese didn’t give up that easily. They went looking for another way to punish GitHub.

And found it. Earlier this year, GitHub was soon hit with a massive distributed denial of service attack. Computers in the US, Taiwan, and Hong Kong sent waves of meaningless requests to GitHub, swamping its servers and causing intermittent outages for days. The company’s IT costs skyrocketed. A similar attack was launched against Greatfire.org, a technically sophisticated anticensorship site.

A Citizens Lab report shows that this denial of service attack was actually a pathbreaking new use of China’s censorship infrastructure. Over the years, China has built a “Great Firewall” that interrupts every single internet communication between China and the rest of the world. Up to now, China has used that infrastructure to inspect Chinese users’ requests for content from abroad. Uncontroversial requests are allowed to proceed after inspection. But most requests for censored information trigger a reset signal that cuts the connection.

The same infrastructure could be used to inspect foreign requests for data from Chinese sites but there’s no obvious need to do so because the Chinese sites are already under the government’s thumb.

But the Github attack shows an imaginative repurposing of the censorship machinery. Instead of subtracting packets from the foreign data requests, China decided to add a few packets -- of malware.

Whenever foreigners -- whether from the US, Taiwan, or Hong Kong -- visited a site inside the Great Firewall, they were already downloading buckets of code to run on their machines. Called javascript, this code is now a standard part of almost all internet browsing. It’s javascript that makes your computer play those moving, talking ads you love so much, and its importance to advertisers means that it isn't likely to fade away any time soon. That's too bad, because javascript actually runs code on your machine, so it’s not just an annoyance, it’s a serious security risk.

A risk China managed to exploit. How? Well, since China’s censorship infrastructure was already intercepting all the packets running between China and the outside world, it was easy enough for China to drop a few additional javascripts into the stream of legitimate advertisers’ code that foreign users were already downloading.

Once on the user’s machine, though, instead of stealing credit card information the way most javascript malware does, the Chinese government’s code started sending packets to GitHub. Soon, millions of infected machines were doing the same, and Github’s servers couldn’t keep up. The attack brought GitHub to its knees.

For several technical reasons, it’s also plain that the Chinese government could not have expected to keep its hand hidden. Indeed, the Citizen Lab report makes clear that no one other than the Chinese government could have used this technique or this infrastructure.

Think about that for a minute. This was an attack that was carried out largely on American soil, first by infecting hundreds of thousands of American computers and then by launching them at a US company, all with the goal of punishing Americans for hosting the content of a preeminent US newspaper. And China didn’t even bother to hide its actions from the US government.

As it turns out, the Chinese had taken our measure pretty well. Not until May, weeks after the attacks, did the State Department respond. And then it simply announced that it “has asked Chinese authorities to investigate” the attack. Really? What’s to investigate? Given the evidence of Chinese complicity, the request seems pointless. And now, months later, it appears that the Chinese have not deigned to respond.

The message is clear. The administration has decided to tolerate this kind of attack. As Justice Holmes reminds us, for bad men all that matters are the consequences of their acts. By imposing no consequences on the GitHub attack, the United States has done its bit to make such attacks lawful.

That’s a foolish choice, and one than needs to be reversed. We shouldn't tolerate such contempt for both our values and our borders. Even if the US government won’t take action, Americans can still take action that will deter such attacks in the future. I’ll talk about that in my next post.